1943558 – [assisted operator] Assisted Service pod unable to reach self signed local registry in disco environement

Bug 1943558 - [assisted operator] Assisted Service pod unable to reach self signed local registry in disco environement

Summary: [assisted operator] Assisted Service pod unable to reach self signed local re...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	assisted-installer
Sub Component:
Version:	4.8
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.8.0
Assignee:	yevgeny shnaidman
QA Contact:	Chad Crum
Docs Contact:
URL:
Whiteboard:	AI-Team-Core
Duplicates (1):	1955322 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-26 12:30 UTC by Chad Crum
Modified:	2021-07-27 22:56 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-27 22:56:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:2438	0	None	None	None	2021-07-27 22:56:36 UTC

Comment 1 Richard Su 2021-04-30 14:25:59 UTC

Hi Chad,

In Steps to Reproduce (1), did you add the self-signed certificate to the additionalTrustBundle: as noted in [2].

And did that create a user-ca-bundle config map in the openshift-config namespace?

If yes, then what do you think about having the assisted-service operator look for either the user-ca-bundle config map or the config map through the injection method described in [3]. If it finds a config map containing the self-signed certificate, the controller will then mount it as volume to /etc/pki/ca-trust/extracted/pem.

[2] https://docs.openshift.com/container-platform/4.6/installing/installing_bare_metal_ipi/ipi-install-installation-workflow.html#modify-the-install-config-yaml-file-to-use-the-disconnected-registry-optional

[3] https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/configuring-a-custom-pki#certificate-injection-using-operators_configuring-a-custom-pki

Comment 2 Michael Hrivnak 2021-04-30 14:50:43 UTC

This feature is still WIP. It should land here: https://github.com/openshift/assisted-service/pull/1595

Comment 3 Chad Crum 2021-05-04 12:55:23 UTC

Looks like the pr merged - I'll run through testing it today.

Comment 4 Chad Crum 2021-05-04 13:35:33 UTC

By the way the operator.md is not correct - I opened https://bugzilla.redhat.com/show_bug.cgi?id=1956822 to correct

Comment 5 Ronnie Lazar 2021-05-10 11:05:27 UTC

Isn't this a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1956937?

Comment 6 Flavio Percoco 2021-05-10 12:54:26 UTC

*** Bug 1955322 has been marked as a duplicate of this bug. ***

Comment 7 Chad Crum 2021-05-10 14:13:53 UTC

I validated that I can set a disconnected registry ca using this commit [1].

I'm able to deploy assisted service using the mirror registry change included in the above commit [2].


[1] https://github.com/openshift/assisted-service/commit/d42b8c859f82eb4938142dd0ca32d7357df435af

[2] https://github.com/openshift/assisted-service/blob/master/docs/operator.md#mirror-registry-configuration

Comment 8 Chad Crum 2021-05-10 14:15:57 UTC

This bz is related to https://bugzilla.redhat.com/show_bug.cgi?id=1956937 (Which I also updated)

Comment 11 errata-xmlrpc 2021-07-27 22:56:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.